Any company that handles Controlled Unclassified Information (CUI) on behalf of the U.S. Government must comply with NIST SP 800-171. To aid in compliance, the Office of the Secretary of Defense (OSD) has developed the Cybersecurity Maturity Model Certification (CMMC). This new certification process was put into initial review in January 2020 and will begin being added to contracts in June of 2020.
There are 5 levels of CMMC Certification, each with a varying number of controls. These security controls will be specified under contract and get progressively more detailed:
-
Level 1 – 17 Controls
-
Level 2 – 72 Controls
-
Level 3 – 130 Controls
-
Level 4 – 156 Controls
-
Level 5 – 171 Controls
While we encourage all insureds to meet the maximum number of security controls as possible, it is important to check with your government contract specialist to ensure you are meeting the correct objectives.
Read the NIST SP 800-171 for a full description of all the relevant security controls. The CMMC 1.0 Draft can be found here, as well.
For more information on this topic, please reach out to us; we're here to help!